feat(cli): change --list-all-pkgs default to true #9510
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changes the default value of --list-all-pkgs flag from false to true, making Trivy include all packages in JSON reports by default. This improves SBOM generation and provides more comprehensive output by default. - Update flag default value to true - Update documentation to reflect the new default - Update integration tests to explicitly pass --list-all-pkgs=false when needed - Fix warning logic to only show when user explicitly sets the flag - Update vulnerability scanner docs to avoid mentioning --list-all-pkgs
There was a problem hiding this comment.
Pull Request Overview
This PR changes the default value of the --list-all-pkgs flag from false to true to align with modern supply chain security practices and improve the user experience for SBOM generation workflows.
- Changes the default behavior to include all packages in JSON reports by default
- Updates warning logic to only show when the flag is explicitly set by users
- Modifies test cases and documentation to reflect the new default behavior
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/flag/report_flags.go | Sets default value to true and updates warning logic to check if flag was explicitly set |
| pkg/commands/app.go | Removes --list-all-pkgs from convert command example |
| integration/*.go | Updates test helper functions to use --list-all-pkgs=false when needed |
| docs/**/*.md | Updates CLI documentation and examples to reflect new default value |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Since the default value of --list-all-pkgs has changed to true, integration tests need to explicitly set it to false to maintain existing test behavior and avoid golden file mismatches.
- Add --list-all-pkgs=false to VM tests - Add --list-all-pkgs=false to SBOM tests - Remove overrideUID from config_test.go as it was causing issues
knqyf263
changed the title
DmitriyLewen
approved these changes
Sep 24, 2025
There was a problem hiding this comment.
LGTM.
For the latest packages that I added, I tried to use the --list-all-pkgs flag so that we can verify both package detection and vulnerabilities (when available).
But for other packages, this flag is usually disabled.
I think we should update the test data, and leave only a few examples with --list-all-pkgs=false.
But this should be done in a separate PR.
Currently, tests such as the package list are covered by fanal's integration tests. If we want to run tests on the Trivy side with |
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Sep 30, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30) [Compare Source](aquasecurity/trivy@v0.66.0...v0.67.0) ##### Features - add documentation URL for database lock errors ([#​9531](aquasecurity/trivy#9531)) ([eba48af](aquasecurity/trivy@eba48af)) - **cli:** change --list-all-pkgs default to true ([#​9510](aquasecurity/trivy#9510)) ([7b663d8](aquasecurity/trivy@7b663d8)) - **cloudformation:** support default values and list results in Fn::FindInMap ([#​9515](aquasecurity/trivy#9515)) ([42b3bf3](aquasecurity/trivy@42b3bf3)) - **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#​9439](aquasecurity/trivy#9439)) ([aff03eb](aquasecurity/trivy@aff03eb)) - **redhat:** add os-release detection for RHEL-based images ([#​9458](aquasecurity/trivy#9458)) ([cb25a07](aquasecurity/trivy@cb25a07)) - **sbom:** added support for CoreOS ([#​9448](aquasecurity/trivy#9448)) ([6d562a3](aquasecurity/trivy@6d562a3)) - **seal:** add seal support ([#​9370](aquasecurity/trivy#9370)) ([e4af279](aquasecurity/trivy@e4af279)) ##### Bug Fixes - **aws:** use `BuildableClient` insead of `xhttp.Client` ([#​9436](aquasecurity/trivy#9436)) ([fa6f1bf](aquasecurity/trivy@fa6f1bf)) - close file descriptors and pipes on error paths ([#​9536](aquasecurity/trivy#9536)) ([a4cbd6a](aquasecurity/trivy@a4cbd6a)) - **db:** Dowload database when missing but metadata still exists ([#​9393](aquasecurity/trivy#9393)) ([92ebc7e](aquasecurity/trivy@92ebc7e)) - **k8s:** disable parallel traversal with fs cache for k8s images ([#​9534](aquasecurity/trivy#9534)) ([c0c7a6b](aquasecurity/trivy@c0c7a6b)) - **misconf:** handle tofu files in module detection ([#​9486](aquasecurity/trivy#9486)) ([bfd2f6b](aquasecurity/trivy@bfd2f6b)) - **misconf:** strip build metadata suffixes from image history ([#​9498](aquasecurity/trivy#9498)) ([c938806](aquasecurity/trivy@c938806)) - **misconf:** unmark cty values before access ([#​9495](aquasecurity/trivy#9495)) ([8e40d27](aquasecurity/trivy@8e40d27)) - **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#​9497](aquasecurity/trivy#9497)) ([267a970](aquasecurity/trivy@267a970)) - **nodejs:** parse workspaces as objects for package-lock.json files ([#​9518](aquasecurity/trivy#9518)) ([404abb3](aquasecurity/trivy@404abb3)) - **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#​9330](aquasecurity/trivy#9330)) ([4517e8c](aquasecurity/trivy@4517e8c)) - **vex:** don't suppress vulns for packages with infinity loop ([#​9465](aquasecurity/trivy#9465)) ([78f0d4a](aquasecurity/trivy@78f0d4a)) - **vuln:** compare `nuget` package names in lower case ([#​9456](aquasecurity/trivy#9456)) ([1ff9ac7](aquasecurity/trivy@1ff9ac7)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbWFnZSJdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1622 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR changes the default value of the
--list-all-pkgsflag fromfalsetotrueto better align with the growing focus on supply chain security and SBOM (Software Bill of Materials) generation.Background
While Trivy has traditionally focused on vulnerability detection, the increasing emphasis on supply chain security has created a stronger need for comprehensive package listings and SBOM generation. Users increasingly want to see all packages in their scans, not just those with vulnerabilities.
Problems with Current Behavior
The current default (
--list-all-pkgs=false) creates several UX issues:trivy convert, users must explicitly specify--format json --list-all-pkgsSolution
By changing the default to
true:--list-all-pkgs=falseBefore and After Examples
Before (current behavior)
After (with this PR)
Warning Behavior
The warning for using
--list-all-pkgswith non-JSON formats now only appears when explicitly set by the user:Before: Warning shown when explicitly using
--list-all-pkgsAfter: Warning only when explicitly set (even though default is now true)
Checklist